A critical-severity vulnerability in Cisco Secure Workload allows attackers to access site resources with Site Admin privileges. The issue is tracked as CVE-2026-20223 with a CVSS score of 10/10 and results from insufficient validation and authentication in REST API endpoints. Exploitation can enable reading sensitive information and modifying configurations across tenant boundaries. The vulnerability affects Secure Workload Cluster Software on both SaaS and on-prem deployments, regardless of device configuration. It impacts internal REST APIs and does not affect the web-based management interface. Fixes are available in versions 3.10.8.3 and 4.0.3.17, and Cisco recommends updating. Cisco also released patches for three medium-severity vulnerabilities affecting ThousandEyes and Nexus devices, including remote command execution with elevated privileges and BGP peer flaps causing denial of service.
"An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint. Successful exploitation of the security defect allows an attacker to read sensitive information and modify configurations across tenant boundaries, with Site Admin privileges."
"This vulnerability affects Cisco Secure Workload Cluster Software on SaaS and on-prem deployments, regardless of device configuration. This vulnerability affects only internal REST APIs and does not affect the web-based management interface."
"The weakness was addressed in Secure Workload versions 3.10.8.3 and 4.0.3.17. Cisco says it is not aware of this issue being exploited in the wild, but recommends that all users update their appliances to avoid future exposure."
"On Wednesday, the tech giant also released patches for three medium-severity vulnerabilities affecting the ThousandEyes Virtual Appliance, ThousandEyes Enterprise Agent, and Nexus 3000 and 9000 series switches. The bugs could allow attackers to execute commands remotely with root privileges or as the node user, and to trigger BGP peer flaps, leading to a denial-of-service (DoS) condition."
#cisco-secure-workload #cve-2026-20223 #rest-api-vulnerabilities #privilege-escalation #network-security-bgpdos
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]